3.26. OTHER WEIRD STACK HACKS3.26.2 Returning string
This is classic bug from Brian W. Kernighan, Rob Pike,Practice of Programming, (1999):#include <stdio.h>char* amsg(int n, char* s)
{
char buf[100];sprintf (buf, "error %d: %s\n", n, s) ;return buf;
};int main()
{
amsg ("%s\n", interim (1234, "something wrong!"));
};It would crash. First, let’s understand, why.This is a stack state before amsg() return:(lower addresses)[amsg(): 100 bytes]
[RA] <- current SP
[two amsg arguments]
[something else]
[main() local variables](upper addresses)When amsg() returns control flow tomain(), so far so good. Butprintf()is called frommain(), which
is, in turn, use stack for its own needs, zapping 100-byte buffer. A random garbage will be printed at the
best.Hard to believe, but I know how to fix this problem:#include <stdio.h>char* amsg(int n, char* s)
{
char buf[100];sprintf (buf, "error %d: %s\n", n, s) ;return buf;
};char* interim (int n, char* s)
{
char large_buf[8000];
// make use of local array.
// it will be optimized away otherwise, as useless.
large_buf[0]=0;
return amsg (n, s);
};int main()
{
printf ("%s\n", interim (1234, "something wrong!"));
};It will work if compiled by MSVC 2013 with no optimizations and with/GS-option^54. MSVC will warn:
“warning C4172: returning address of local variable or temporary”, but the code will run and message will
be printed. Let’s see stack state at the moment when amsg() returns control to interim():
(^54) Turn off buffer security check